sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-12-05 00:01:49 -05:00
Code Issues Projects Releases Wiki Activity

tls-test: Add support to require/verify client certificates

Browse Source 
Also add detailed usage output with description of all options.
This commit is contained in:
Pascal Knecht 2020-11-01 16:39:00 +01:00 committed by Tobias Brunner
parent d2fc9b0961
commit 299cc80094
1 changed files with 34 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
scripts/tls_test.c
View File

@ -37,8 +37,27 @@
static void usage(FILE *out, char *cmd) static void usage(FILE *out, char *cmd)
{ {
fprintf(out, "usage:\n"); fprintf(out, "usage:\n");
fprintf(out, " %s --connect <address> --port <port> [--key <key] [--cert <file>]+ [--times <n>]\n", cmd); fprintf(out, " %s --connect <address> --port <port> [--key <key] [--cert <file>] [--cacert <file>]+ [--times <n>]\n", cmd);
fprintf(out, " %s --listen <address> --port <port> --key <key> [--cert <file>]+ [--times <n>]\n", cmd); fprintf(out, " %s --listen <address> --port <port> --key <key> --cert <file> [--cacert <file>]+ [--times <n>]\n", cmd);
fprintf(out, "\n");
fprintf(out, "options:\n");
fprintf(out, " --help print help and exit\n");
fprintf(out, " --connect <address> connect to a server on dns name or ip address\n");
fprintf(out, " --listen <address> listen on dns name or ip address\n");
fprintf(out, " --port <port> specify the port to use\n");
fprintf(out, " --cert <file> certificate to authenticate itself\n");
fprintf(out, " --key <file> private key to authenticate itself\n");
fprintf(out, " --cacert <file> certificate to verify other peer\n");
fprintf(out, " --times <n> specify the amount of repeated connection establishments\n");
fprintf(out, " --ipv4 use IPv4\n");
fprintf(out, " --ipv6 use IPv6\n");
fprintf(out, " --min-version <version> specify the minimum TLS version, supported versions:\n");
fprintf(out, " 1.0 (default), 1.1, 1.2 and 1.3\n");
fprintf(out, " --max-version <version> specify the maximum TLS version, supported versions:\n");
fprintf(out, " 1.0, 1.1, 1.2 and 1.3 (default)\n");
fprintf(out, " --version <version> set one specific TLS version to use, supported versions:\n");
fprintf(out, " 1.0, 1.1, 1.2 and 1.3\n");
fprintf(out, " --debug <debug level> set debug level, default is 1\n");
} }
/** /**
@ -132,7 +151,7 @@ static int run_client(host_t *host, identification_t *server,
/** /**
* Server routine * Server routine
*/ */
static int serve(host_t *host, identification_t *server, static int serve(host_t *host, identification_t *server, identification_t *client,
int times, tls_cache_t *cache, tls_version_t min_version, int times, tls_cache_t *cache, tls_version_t min_version,
tls_version_t max_version) tls_version_t max_version)
{ {
@ -170,7 +189,7 @@ static int serve(host_t *host, identification_t *server,
} }
DBG1(DBG_TLS, "%#H connected", host); DBG1(DBG_TLS, "%#H connected", host);
tls = tls_socket_create(TRUE, server, NULL, cfd, cache, min_version, tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version,
max_version, TRUE); max_version, TRUE);
if (!tls) if (!tls)
{ {
@ -289,7 +308,7 @@ int main(int argc, char *argv[])
char *address = NULL; char *address = NULL;
bool listen = FALSE; bool listen = FALSE;
int port = 0, times = -1, res, family = AF_UNSPEC; int port = 0, times = -1, res, family = AF_UNSPEC;
identification_t *server, *client; identification_t *server, *client = NULL;
tls_version_t min_version = TLS_1_0, max_version = TLS_1_3; tls_version_t min_version = TLS_1_0, max_version = TLS_1_3;
tls_cache_t *cache; tls_cache_t *cache;
host_t *host; host_t *host;
@ -305,6 +324,7 @@ int main(int argc, char *argv[])
{"port", required_argument, NULL, 'p' }, {"port", required_argument, NULL, 'p' },
{"cert", required_argument, NULL, 'x' }, {"cert", required_argument, NULL, 'x' },
{"key", required_argument, NULL, 'k' }, {"key", required_argument, NULL, 'k' },
{"cacert", required_argument, NULL, 'f' },
{"times", required_argument, NULL, 't' }, {"times", required_argument, NULL, 't' },
{"ipv4", no_argument, NULL, '4' }, {"ipv4", no_argument, NULL, '4' },
{"ipv6", no_argument, NULL, '6' }, {"ipv6", no_argument, NULL, '6' },
@ -333,6 +353,13 @@ int main(int argc, char *argv[])
return 1; return 1;
} }
continue; continue;
case 'f':
if (!load_certificate(optarg))
{
return 1;
}
client = identification_create_from_encoding(ID_ANY, chunk_empty);
continue;
case 'l': case 'l':
listen = TRUE; listen = TRUE;
/* fall */ /* fall */
@ -402,10 +429,11 @@ int main(int argc, char *argv[])
cache = tls_cache_create(100, 30); cache = tls_cache_create(100, 30);
if (listen) if (listen)
{ {
res = serve(host, server, times, cache, min_version, max_version); res = serve(host, server, client, times, cache, min_version, max_version);
} }
else else
{ {
DESTROY_IF(client);
client = find_client_id(); client = find_client_id();
res = run_client(host, server, client, times, cache, min_version, res = run_client(host, server, client, times, cache, min_version,
max_version); max_version);